1dovecot_selinux(8) SELinux Policy dovecot dovecot_selinux(8)
2
6 dovecot_selinux - Security Enhanced Linux Policy for the dovecot pro‐
7 cesses
8
10 Security-Enhanced Linux secures the dovecot processes via flexible
11 mandatory access control.
12 The dovecot processes execute with the dovecot_t SELinux type. You can
14 check if you have these processes running by executing the ps command
15 with the -Z qualifier.
16 For example:
18 ps -eZ | grep dovecot_t
20
24 The dovecot_t SELinux type can be entered via the dovecot_exec_t file
25 type.
26 The default entrypoint paths for the dovecot_t domain are the follow‐
28 ing:
29 /usr/sbin/dovecot
31
33 SELinux defines process types (domains) for each process running on the
34 system
35 You can see the context of a process using the -Z option to ps
37 Policy governs the access confined processes have to files. SELinux
39 dovecot policy is very flexible allowing users to setup their dovecot
40 processes in as secure a method as possible.
41 The following process types are defined for dovecot:
43 dovecot_t, dovecot_auth_t, dovecot_deliver_t
45 Note: semanage permissive -a dovecot_t can be used to make the process
47 type dovecot_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
53 SELinux policy is customizable based on least access required. dovecot
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run dovecot with the tightest access possi‐
56 ble.
57 If you want to allow users to resolve user passwd entries directly from
61 ldap rather then using a sssd server, you must turn on the authlo‐
62 gin_nsswitch_use_ldap boolean. Disabled by default.
63 setsebool -P authlogin_nsswitch_use_ldap 1
65 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70 setsebool -P fips_mode 1
72 If you want to allow confined applications to run with kerberos, you
76 must turn on the kerberos_enabled boolean. Enabled by default.
77 setsebool -P kerberos_enabled 1
79 If you want to allow system to run with NIS, you must turn on the
83 nis_enabled boolean. Disabled by default.
84 setsebool -P nis_enabled 1
86 If you want to allow confined applications to use nscd shared memory,
90 you must turn on the nscd_use_shm boolean. Disabled by default.
91 setsebool -P nscd_use_shm 1
93
97 The SELinux process type dovecot_t can manage files labeled with the
98 following file types. The paths listed are the default paths for these
99 file types. Note the processes UID still need to have DAC permissions.
100 cifs_t
102 cluster_conf_t
105 /etc/cluster(/.*)?
107 cluster_var_lib_t
109 /var/lib/pcsd(/.*)?
111 /var/lib/cluster(/.*)?
112 /var/lib/openais(/.*)?
113 /var/lib/pengine(/.*)?
114 /var/lib/corosync(/.*)?
115 /usr/lib/heartbeat(/.*)?
116 /var/lib/heartbeat(/.*)?
117 /var/lib/pacemaker(/.*)?
118 cluster_var_run_t
120 /var/run/crm(/.*)?
122 /var/run/cman_.*
123 /var/run/rsctmp(/.*)?
124 /var/run/aisexec.*
125 /var/run/heartbeat(/.*)?
126 /var/run/corosync-qnetd(/.*)?
127 /var/run/corosync-qdevice(/.*)?
128 /var/run/corosync.pid
129 /var/run/cpglockd.pid
130 /var/run/rgmanager.pid
131 /var/run/cluster/rgmanager.sk
132 data_home_t
134 /root/.local/share(/.*)?
136 /home/[^/]+/.local/share(/.*)?
137 dovecot_spool_t
139 /var/spool/dovecot(/.*)?
141 dovecot_tmp_t
143 dovecot_var_lib_t
146 /var/lib/dovecot(/.*)?
148 /var/run/dovecot/login/ssl-parameters.dat
149 dovecot_var_log_t
151 /var/log/dovecot(/.*)?
153 /var/log/dovecot.log.*
154 dovecot_var_run_t
156 /var/run/dovecot(-login)?(/.*)?
158 ecryptfs_t
160 /home/[^/]+/.Private(/.*)?
162 /home/[^/]+/.ecryptfs(/.*)?
163 fusefs_t
165 /var/run/user/[^/]*/gvfs
167 krb5_host_rcache_t
169 /var/cache/krb5rcache(/.*)?
171 /var/tmp/nfs_0
172 /var/tmp/DNS_25
173 /var/tmp/host_0
174 /var/tmp/imap_0
175 /var/tmp/HTTP_23
176 /var/tmp/HTTP_48
177 /var/tmp/ldap_55
178 /var/tmp/ldap_487
179 /var/tmp/ldapmap1_0
180 mail_home_rw_t
182 /root/Maildir(/.*)?
184 /root/.esmtp_queue(/.*)?
185 /var/lib/arpwatch/.esmtp_queue(/.*)?
186 /home/[^/]+/.maildir(/.*)?
187 /home/[^/]+/Maildir(/.*)?
188 /home/[^/]+/.esmtp_queue(/.*)?
189 mail_spool_t
191 /var/mail(/.*)?
193 /var/spool/imap(/.*)?
194 /var/spool/mail(/.*)?
195 /var/spool/smtpd(/.*)?
196 nfs_t
198 root_t
201 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
203 /
204 /initrd
205 security_t
207 /selinux
209 user_home_t
211 /home/[^/]+/.+
213
216 SELinux requires files to have an extended attribute to define the file
217 type.
218 You can see the context of a file using the -Z option to ls
220 Policy governs the access confined processes have to these files.
222 SELinux dovecot policy is very flexible allowing users to setup their
223 dovecot processes in as secure a method as possible.
224 EQUIVALENCE DIRECTORIES
226 dovecot policy stores data with multiple different file context types
229 under the /var/log/dovecot directory. If you would like to store the
230 data in a different directory you can use the semanage command to cre‐
231 ate an equivalence mapping. If you wanted to store this data under the
232 /srv dirctory you would execute the following command:
233 semanage fcontext -a -e /var/log/dovecot /srv/dovecot
235 restorecon -R -v /srv/dovecot
236 STANDARD FILE CONTEXT
238 SELinux defines the file context types for the dovecot, if you wanted
240 to store files with these types in a diffent paths, you need to execute
241 the semanage command to sepecify alternate labeling and then use
242 restorecon to put the labels on disk.
243 semanage fcontext -a -t dovecot_var_run_t '/srv/mydovecot_con‐
245 tent(/.*)?'
246 restorecon -R -v /srv/mydovecot_content
247 Note: SELinux often uses regular expressions to specify labels that
249 match multiple files.
250 The following file types are defined for dovecot:
252 dovecot_auth_exec_t
256 - Set files with the dovecot_auth_exec_t type, if you want to transi‐
258 tion an executable to the dovecot_auth_t domain.
259 Paths:
262 /usr/libexec/dovecot/auth, /usr/libexec/dovecot/dovecot-auth
263 dovecot_auth_tmp_t
266 - Set files with the dovecot_auth_tmp_t type, if you want to store
268 dovecot auth temporary files in the /tmp directories.
269 dovecot_cert_t
273 - Set files with the dovecot_cert_t type, if you want to treat the
275 files as dovecot certificate data.
276 Paths:
279 /etc/pki/dovecot(/.*)?, /usr/share/ssl/certs/dovecot.pem,
280 /usr/share/ssl/private/dovecot.pem
281 dovecot_deliver_exec_t
284 - Set files with the dovecot_deliver_exec_t type, if you want to tran‐
286 sition an executable to the dovecot_deliver_t domain.
287 Paths:
290 /usr/libexec/dovecot/deliver, /usr/libexec/dovecot/dovecot-lda
291 dovecot_deliver_tmp_t
294 - Set files with the dovecot_deliver_tmp_t type, if you want to store
296 dovecot deliver temporary files in the /tmp directories.
297 dovecot_etc_t
301 - Set files with the dovecot_etc_t type, if you want to store dovecot
303 files in the /etc directories.
304 Paths:
307 /etc/dovecot(/.*)?, /etc/dovecot.conf.*
308 dovecot_exec_t
311 - Set files with the dovecot_exec_t type, if you want to transition an
313 executable to the dovecot_t domain.
314 dovecot_initrc_exec_t
318 - Set files with the dovecot_initrc_exec_t type, if you want to transi‐
320 tion an executable to the dovecot_initrc_t domain.
321 dovecot_keytab_t
325 - Set files with the dovecot_keytab_t type, if you want to treat the
327 files as kerberos keytab files.
328 dovecot_passwd_t
332 - Set files with the dovecot_passwd_t type, if you want to treat the
334 files as dovecot passwd data.
335 dovecot_spool_t
339 - Set files with the dovecot_spool_t type, if you want to store the
341 dovecot files under the /var/spool directory.
342 dovecot_tmp_t
346 - Set files with the dovecot_tmp_t type, if you want to store dovecot
348 temporary files in the /tmp directories.
349 dovecot_var_lib_t
353 - Set files with the dovecot_var_lib_t type, if you want to store the
355 dovecot files under the /var/lib directory.
356 Paths:
359 /var/lib/dovecot(/.*)?, /var/run/dovecot/login/ssl-parameters.dat
360 dovecot_var_log_t
363 - Set files with the dovecot_var_log_t type, if you want to treat the
365 data as dovecot var log data, usually stored under the /var/log direc‐
366 tory.
367 Paths:
370 /var/log/dovecot(/.*)?, /var/log/dovecot.log.*
371 dovecot_var_run_t
374 - Set files with the dovecot_var_run_t type, if you want to store the
376 dovecot files under the /run or /var/run directory.
377 Note: File context can be temporarily modified with the chcon command.
381 If you want to permanently change the file context you need to use the
382 semanage fcontext command. This will modify the SELinux labeling data‐
383 base. You will need to use restorecon to apply the labels.
384
387 semanage fcontext can also be used to manipulate default file context
388 mappings.
389 semanage permissive can also be used to manipulate whether or not a
391 process type is permissive.
392 semanage module can also be used to enable/disable/install/remove pol‐
394 icy modules.
395 semanage boolean can also be used to manipulate the booleans
397 system-config-selinux is a GUI tool available to customize SELinux pol‐
400 icy settings.
401
404 This manual page was auto-generated using sepolicy manpage .
405
408 selinux(8), dovecot(8), semanage(8), restorecon(8), chcon(1), sepol‐
409 icy(8), setsebool(8), dovecot_auth_selinux(8), dovecot_auth_selinux(8),
410 dovecot_deliver_selinux(8), dovecot_deliver_selinux(8)
411dovecot 19-05-30 dovecot_selinux(8)